:: Re: [DNG] Help needed:[Fwd: eudev: …
Kezdőlap
Delete this message
Reply to this message
Szerző: aitor
Dátum:  
Címzett: dng
Régi témák: Re: [DNG] Help needed:[Fwd: eudev: Methods to detect if running in a container.]
Tárgy: Re: [DNG] Help needed:[Fwd: eudev: Methods to detect if running in a container.]
Hi Daniel,

On 1/4/20 9:07, Daniel Abrecht via Dng wrote:
> Hi,
>
> What's the point of trying to detect if eudev is run in a container?
> Is it just to not start it in that case?
> Would it just fail to start in them otherwise?
> Is that actually a problem?
> And could eudev not just be uninstalled in a container?


I don't know. But, as far as i know, this question arises from the
developers of runit.


> In any case, I don't like the idea of doing hacks like looking at
> inode numbers or trying to determine if there is a container or not.
> In addition to this don't like the Idea of checking for being in a
> container in general.
>
> Instead, I would check for reasons why it doesn't work in a container,
> choose a sensible thing to check for out of those reasons, and then
> check for that.
>
> In this case, I would assume the following, although I haven't checked:
>  1) the container hypervisor (lxc/lxc, docker, libvirt-lxc, etc.) is
> responsible for managing/creating device files
>  2) eudev exists for managing/creating device files in other kinds of
> systems
>  3) device files can't be created in a container
>  4) 3. is due to the container hypervisor removing the cap_mknod
> capability from containers
>
> Given those assumptions, I think the sensible thing would be to either
> check for the mknod capability, or check if device nodes can't be
> created in /dev/ due to a lack of permissions. I think that's closer
> to the reason why one may not want to start eudev than trying to
> checking if we're in a container


Eudev already has a function regarding these funcionalities:

[...]

        if (getpid() == 1) {
                /* If we are PID 1 we can just check our own
                 * environment variable */

                e = getenv("container");
                if (isempty(e)) {
                        r = 0;
                        goto finish;
                }
        } else {

                /* Otherwise, PID 1 dropped this information into a
                 * file in UDEV_ROOT_RUN. This is better than accessing
                 * /proc/1/environ, since we don't need CAP_SYS_PTRACE
                 * for that. */

                <cut> ** THIS PART DEPENDS SOMEHOW ON SYSTEMD ** <\cut>

        }

        /* We only recognize a selected few here, since we want to
         * enforce a redacted namespace */
        if (streq(e, "lxc"))
                _id ="lxc";
        else if (streq(e, "lxc-libvirt"))
                _id = "lxc-libvirt";
        else if (streq(e, "systemd-nspawn"))
                _id = "systemd-nspawn";
        else if (streq(e, "docker"))
                _id = "docker";
        else
                _id = "other";

[...]

Have a look at the code of:

int detect_container(const char **id) { ... }

in the file "virt.c":

https://github.com/gentoo/eudev/blob/master/src/shared/virt.c
<https://github.com/gentoo/eudev/blob/master/src/shared/virt.c>

Cheers,

Aitor.